Tomcat

If Apache httpd is being used to proxy the IdP then Tomcat should not be listening on ports 443 and 8443. Therefore please comment out any existing <Connector> elements for port 443 and port 8443 in the Tomcat conf/server.xml file.

You will also need to ensure that the port 8009 connector is configured to accept messages proxied from Apache. In server.xml, find the port 8009 connector and edit it so that it looks like this:

Apache Modules and Proxy

You will need to edit the Apache httpd configuration file httpd.conf to configure Apache to pass requests for "/idp/" to Tomcat which listens on localhost port 8009. Add this line to the end of the file:

ProxyPass /idp/ ajp://localhost:8009/idp/

Also, if you are using the Windows operating system then you need to find the following lines in httpd.conf and uncomment them (by removing the leading "#") to activate the necessary modules and include the SSL configuration file:

Apache VirtualHost

This assumes that you are using the standard ports 443 and 8443 for the IdP. Apache needs to be listening on both of these, so you will need these two lines in your configuration; they are usually put in httpd.conf or httpd-ssl.conf (or ssl.conf in Linux):

Some organisations have configured the httpd on one VirtualHost with Location directives to distinguish AA and Artifact traffic from SSO traffic. We strongly recommend you do not use that configuration, because of this SSL re-negotiation problem, and because it significantly complicates both configuration and troubleshooting.

The file names idp.crt and idp.key in the Apache configuration code below refer to your self-signed certificate. The ssl-cert.crt, ssl-cert.key and intermediate.pem files are your CA certificate file, its private key file and the CA's intermediate certificate file. The CA should have sent you the intermediate certificate file with your certificate, or made it available for download. The intermediate certificate may actually be a "bundle" of several certificates concatenated together. Please note that you should not include the CA's root certificate in the intermediate certificate bundle, because some SSL clients cannot verify the certificate chain if the root certificate is present. The intermediate certificate in the configuration given below has a .pem filename extension, but this might be different in your case. The names and locations of your files may be different, so you will need to edit this code accordingly.

You should check that the configuration options below are correct for your platform. For example, different distributions have different ciphersuites available, so you should check that the recommendations below do not specify ciphersuites which do not exist in your distribution. We also know that the SSLProtocol directives below (which are intended to specify that only the three TLSv1 protocols should be used, as other protocols are known to be insecure) are correct for Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6.6 and later, but for other Red Hat platforms the correct directive is SSLProtocol -All +TLSv1.